Mastodawn

I’m concerned stuff like this will lead to a “dark forest” scenario, in which the risks of open source outweigh the benefits. Not today, but it's not impossible tomorrow.

https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far - StepSecurity

A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in at least 4 out of 5 targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. This post breaks down each attack, shows the evidence, and explains what you can do to protect your workflows.

Show thread

Taggart Mar 1

At the very least, we're going to need a highly effective spam filter for code contributions

Show thread

Julien Roncaglia Mar 1

@mttaggart we’ve needed some sort of “reputation” system in OSS (spanning forges and package repositories) a bit more organized than “I’ve seen your pseudonym/avatar on another repo or on Twitter/mastodon) for some time.

I just hope it will be thoughtfully done and not hacked in place by a single (Github?) provider in reaction to incidents

Show thread

Taggart

@vbfox In another context, here's my attempt at reputation for web content: https://ringspace.net

hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far - StepSecurity

About - Ringspace Trusted Webrings: Protocol Specification